enh: filename validation in upload handler to prevent path traversal

Author: Sammy Ndabo

webserver.js

@@ -4632,7 +4632,9 @@ module.exports.CreateWebServer = function (parent, db, args, certificates, doneF
                     var names = fields.name[0].split('*'), sizes = fields.size[0].split('*'), types = fields.type[0].split('*'), datas = fields.data[0].split('*');
                     if ((names.length == sizes.length) && (types.length == datas.length) && (names.length == types.length)) {
                         for (var i = 0; i < names.length; i++) {
-                            if (obj.common.IsFilenameValid(names[i]) == false) { res.sendStatus(404); return; }
+                            var originalName = names[i];
+                            var safeName = obj.path.basename(originalName);
+                            if ((safeName !== originalName) || (obj.common.IsFilenameValid(safeName) == false)) { res.sendStatus(404); return; }
                             var filedata = Buffer.from(datas[i].split(',')[1], 'base64');
                             if ((xfile.quota == null) || ((totalsize + filedata.length) < xfile.quota)) { // Check if quota would not be broken if we add this file
                                 // Create the user folder if needed
@@ -4643,7 +4645,7 @@ module.exports.CreateWebServer = function (parent, db, args, certificates, doneF
                                             obj.parent.DispatchEvent([user._id], obj, 'updatefiles'); // Fire an event causing this user to update this files
                                         });
                                     });
-                                })(xfile.fullpath, names[i], filedata);
+                                })(xfile.fullpath, safeName, filedata);
                             } else {
                                 // Send a notification
                                 obj.parent.DispatchEvent([user._id], obj, { action: 'notify', title: "Disk quota exceed", value: names[i], nolog: 1, id: Math.random() });
@@ -4653,8 +4655,12 @@ module.exports.CreateWebServer = function (parent, db, args, certificates, doneF
                 } else {
                     // More typical upload method, the file data is in a multipart mime post.
                     for (var i in files.files) {
-                        var file = files.files[i], fpath = obj.path.join(xfile.fullpath, file.originalFilename);
-                        if (obj.common.IsFilenameValid(file.originalFilename) && ((xfile.quota == null) || ((totalsize + file.size) < xfile.quota))) { // Check if quota would not be broken if we add this file
+                        var file = files.files[i];
+                        var originalFilename = (typeof file.originalFilename === 'string') ? file.originalFilename : '';
+                        var safeOriginalFilename = obj.path.basename(originalFilename);
+                        var isFilenameAcceptable = (safeOriginalFilename === originalFilename) && obj.common.IsFilenameValid(safeOriginalFilename);
+                        if (isFilenameAcceptable && ((xfile.quota == null) || ((totalsize + file.size) < xfile.quota))) { // Check if quota would not be broken if we add this file
+                            var fpath = obj.path.join(xfile.fullpath, safeOriginalFilename);
 
                             // See if we need to create the folder
                             var domainx = 'domain';